Android SDK suffers from buffer overflow and lack of hardening

Android SDK suffers from buffer overflow and lack of hardening

Summary: The droidsec security group has discovered and patched a buffer overflow issue and a lack of compile-time hardening in the Android Debug Bridge.

SHARE:
TOPICS: Security, Android, Linux
2

A classic buffer overflow exploit has been discovered in the Android software development kit (SDK) that impacts all versions of the Android Debug Bridge on Linux x86_64.

The exploit scenario involved an attacker starting a malicious Android Debug Bridge (ADB) server that interfaces with Android devices on a multi-user system and waiting for ADB clients, started by developers wanting to debug apps or send commands to devices, to connect. Due to the buffer exploit occurring early in protocol negotiations, droidsec said any command that communicates with the ADB Server will lead to successful exploitation.

Writing in a blog post to publicly disclose its findings, the droidsec group said that the exploit was confirmed on version 18.0.1 of the Android SDK platform tools on x86_64 Ubuntu Linux 12.04. Attempts to exploit the vulnerability on a 32-bit Linux system and the adb binary found on the Nexus 4 were unsuccessful. The droidsec team said it did not test the vulnerability on any Windows system.

Droidsec also discovered that the ADB binary failed to have a non-executable stack, and the executable was not position independent. The droidsec team said that taking advantage of this situation would be trivial.

"It should also be noted that host compilation also seems to intentionally opt out of the FORTIFY_SOURCE protections," droidsec said. "It's not clear why this is the case since the comment near this line of code references an internal only bug number."

The issues were discovered in early December, with patches submitted by droidsec soon after and accepted by Google into Android's source code tree. Following a lack of communication from Google, the droidsec team decided to publicly disclose the issues and patches.

Facebook today announced the open sourcing of Conceal, a set of Java APIs designed by the social network for encrypting user data on Android devices.

Topics: Security, Android, Linux

About

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Is anybody surprised??

    After all, we are talking about "Google quality" software.
    wackoae
    • Nobody is surprised that software has bugs

      But you seem to be implying only Google software has bugs.
      Care to name a software company with a 100% bug-free record?
      anothercanuck